AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky primitives are explicit CLI behavior for launching supported AI tools through the Zro endpoint, not install-time or import-time execution.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs zro login or zro launch <tool>
Impact
Configures selected tools to use Zro API credentials and endpoint; no evidence of credential harvesting or exfiltration beyond intended tool environment/config.
Mechanism
User-invoked tool launcher and provider config generator
Rationale
Static inspection shows a user-invoked CLI that stores/uses Zro credentials and launches named AI tools with package-aligned provider configuration. There are no lifecycle hooks, covert network calls, unconsented AI-agent control-surface mutations, or credential exfiltration paths in the inspected source.
Evidence
package.jsondist/cli.jsdist/run.jsdist/key.jsdist/constants.jsdist/tools/codex.jsdist/tools/claude.jsdist/tools/hermes.jsdist/tools/openclaw.jsdist/tools/opencode.jsdist/files.js~/.config/zro/credentials.json/tmp/zro-launch-<pid>-<time>/...~/.config/zro/codex-app/config.toml~/.config/zro/codex-app/.env~/.config/zro/codex-app/zro-models.json
Network endpoints3
inference.moonmath.aiinference.moonmath.ai/v1opencode.ai/config.json
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/run.js spawns external tools and writes launch/config files when user runs zro launch
- dist/tools/codex.js persists Codex App config and .env under ~/.config/zro/codex-app for codex-app mode
- dist/key.js stores ZRO_API_KEY in ~/.config/zro/credentials.json on explicit zro login
Evidence against
- package.json has no install/postinstall/prepare lifecycle hook executed on install
- dist/cli.js only calls run() for explicit CLI invocation
- dist/constants.js endpoint is package-aligned: https://inference.moonmath.ai/v1
- dist/run.js redacts key-like env values in --print output and removes temp launch files after spawn
- dist/tools/hermes.js/openclaw.js/opencode.js read existing user config but write modified copies under temp HOME/XDG_CONFIG_HOME
- rg found no fetch/http client, eval, Function, dynamic require, or native/binary loading
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
UrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/run.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @moonmath-ai/zro@0.1.0
matchedIdentity = npm:QG1vb25tYXRoLWFpL3pybw:0.1.0
similarity = 0.786
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/run.jsView on unpkgFindings
1 Critical1 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/run.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License